Konrad Windszus created FELIX-6585: -------------------------------------- Summary: WebConsole Bundle Install via POST uses a location which is prone to clashes Key: FELIX-6585 URL: https://issues.apache.org/jira/browse/FELIX-6585 Project: Felix Issue Type: Bug Components: Web Console Affects Versions: webconsole-4.8.4 Reporter: Konrad Windszus
When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request. As that is usually stripped to the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high. In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56 This will overwrite a bundle with the same location. It would make sense to pick a more unique location value instead of the name. -- This message was sent by Atlassian Jira (v8.20.10#820010)